Restricting Applications in Windows

I decided not to hijack another thread with my curiosity, so I'm starting a new thread here.

How can a Windows user (XP, Vista & Win 7) change/add/remove Mandatory Access Controls (recognizing that the answer may be different for each OS)? I want a tool that allows me to determine exactly what each program will be allowed to do. For instance I could confine my browser so that any malware I encounter can't access system files. It would prevent escalation of privileges. Does Windows allow me to have that kind of fine-grained control? Are the only options extra software that does it for me (like AppGuard)?

I'm comparing it to AppArmor, which is Ubuntu's answer to Mandatory Access Controls.

 

It is not natively supported. Instead Windows has MIAC, Mandatory Integrity Access Control. The best you can do is assign a file to a predefined "profile", which will have a loose set of write restrictions.

Lame, right?

In short, no AppGuard for Windows.

 

I'm flabbergasted. Seriously? You & I are the only people in the world that want to control access in Windows?

What??

#typed from my Linux machine

 

Yeah I was actually a bit surprised by it myself... there's absolutely no way to fine tune a MAC system in Windows via the OS. The most you can do is try to get a program working with Low Integrity, which will likely break it entirely.

 

Yes, there's no native way of doing it... kind of. You can work with integrity levels, but far from being perfect for what you aim to do.

But, you can restrict such access with Sandboxie, for example. It's not a native solution, but it works.

I wish I could have a solution that would only do that task, though. I do wonder why AppLocker didn't result in such, after all, the name AppLocker comes from application locker. Lock execution and access, right? They forgot the access part, once it's permitted.

By the way, what else have we got out there that would give such functionality?

 

Not really. You don't have to give something a low integrity level. Not only. I'll explain.

I run Chromium with an explicit low integrity level. I'm pretty sure you're aware of its benefits, by now. But, a low integrity level object can still read from medium/high integrity level objects and containers.

The solution is to apply an explicit medium/high integrity level to such objects and containers and apply the flags NoReadUp. By itself, this would already prevent low integrity level objects from reading medium and high integrity level objects and containers; medium integrity level objects wouldn't be able to read from high integrity level objects and containers.

I follow this approach for a lot of folders I wish to protect (not important information, just things I don't want to give everything open access).

There's also the flags NoExecuteUp and NoWriteUp (the latter applied by default).

 

Sandboxie is the only program that came to mind.

 

I'm doing some more digging. I found that in Vista MAC = Mandatory Integrity Control. I also found an explanation of how it works on microsoft's website.

Access Control for Application Resources can be set in Windows on a Windows Server according to MS. So maybe it can't be done on desktops but it can be done in servers? Or will that only be Discresionary Access Controls?

 

I think GesWall works similar to what we're discussing? It create some sort of sandbox policy. And, we can add our own rules, I believe. I actually think that it does; I've never used it, so I can't be sure what it would allow us to achieve.

But, judging by the screenshot, it does allow to restrict access to Registry and File System entries.

-http://i1-win.softpedia-static.com/screenshots/GeSWall_3.png

 

AppGuard (which I saw in someone's signature and then googled) looks like it tries to do MAC. Anyone have any experience with it?

 

It isn't path based like apparmor iirc and it's not super configurable either. I used it for about an hour to play around with but I couldn't block certain things without blocking certain other things. I think it's a system wide thing too instead of a per-application restriction.

 

That was my initial impression of it- looks like it tries to do everything for you to appeal to the non-tech folks in the world. I'm a nerd so I like to configure stuff myself

 

GeSWall looks like it's not terribly configurable either, a quote from their website

 

That sounds about what you'd like.

 

You can add your own rules, that would block the file system and Registry. Still, we would have to run the applications isolated, judging by this:

Source: -http://www.gentlesecurity.com/geswall_how.html

I'd like for something different, though. I'd like the same functionality, but without the isolation; simply something that would allow to add applications so that I could block access to areas I wish. This would work as a service + application (GUI), and it would automatically monitor the applications in the rules and prevent access to such areas. A global setting would be nice, though.

Any such thing?

 

Just Sandboxie.

 

The champs in this area are
1. Powerbroker free edition (needs at least Pro Windows edition)
2. GesWall free edition (also limited to x32)

See my sig on how to achieve something simular as AppArmor on unix

 

Safe-admin doesn't do what AppArmor does.

I can achieve a bit of what it does, using integrity levels. We could also isolation sensitive applications, such as a dedicated browser from home banking in a secure desktop. This would isolate it from everything else.

Not even Sandboxie. With Sandboxie you need to isolate the application to prevent access to areas we wish to block access to.

 

If you use Sandboxie and allow full access everywhere and then block access to paths it's what he wants.

 

Oh, OK. I thought you were replying to me.

 

GesWall is easy to set and to use.

 

Safe-admin by far does not achieve what AppArmour can control in a granular manner

 

Powerbroker looks interesting. Can you run it along with GesWall?

 

What IS safe-admin? Is it 3rd party software? Is it a certain configuration? Sorry, I didn't really get what it was from the link in the sig.

 

I actually forgot all about PowerBroker. You may see more mentioned in a thread I started sometime ago: https://www.wilderssecurity.com/showthread.php?t=312231

Shame on me, for not remembering it.

-edit-

Here's a review on PowerBroker -http://redmondmag.com/articles/2012/01/01/powerbroker-desktops-dlp-safeguards-sensitive-information.aspx